Fishwick, Chris writes:
> Hi All,
>
> I am probably being a little slow with this, but this is my situation:
Look in /usr/share/examples/ipf. Particularly for at the 'nat.eg' example.
> ISP <----- ISDN -----> Cisco Router <--- NetBSD ---> |-Server
> |
> |-Rest
> of Network
>
> The Cisco box has a globally routable IP, the NetBSD box has both a globally
> routable (203.1.1.1) & non routable (192.168.1.254) address. The Server has
> an IP address of 192.168.1.10 and the rest of the workstations are all
> within the 192.168.1.x range. I need to be able to have the workstations on
> the network talk to the internet freely, and also have the routable IP
> address on the NetBSD box do some port forwarding to the internal server.
> For instance, I need the NetBSD box to accept connections of port 25 and
> forward them to the server, same for ports 80 & 110 so that services such as
> SMTP, POP3 and WWW appear to the outside world, but while also blocking free
> access to the server.
So create /etc/ipnat.conf like this:
map XYZ0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map XYZ0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1024:65535
rdr XYZ0 0/0 port 22 -> 192.168.1.10 port 22 tcp
rdr XYZ0 0/0 port 25 -> 192.168.1.10 port 25 tcp
rdr XYZ0 0/0 port 80 -> 192.168.1.10 port 80 tcp
rdr XYZ0 0/0 port 110 -> 192.168.1.10 port 110 tcp
If you want some basic firewalling, create /etc/ipf.conf with:
block out on XYZ0 proto tcp all
block in on XYZ0 proto tcp all
block out on XYZ0 proto udp all
block in on XYZ0 proto udp all
pass out quick on XYZ0 proto tcp from any to any flags S/SAFR keep state
pass out quick on XYZ0 proto udp from any to any keep state
pass in quick proto tcp from any to any port = 22 flags S/SA keep state
pass in quick proto tcp from any to any port = 25 flags S/SA keep state
pass in quick proto tcp from any to any port = 80 flags S/SA keep state
pass in quick proto tcp from any to any port = 110 flags S/SA keep state
Substitute your actual OUTSIDE interface for XYZ0. (e.g. 'fxp0' perhaps)
Also add to /etc/rc.conf:
ipfilter=YES
ipnat=YES
And to /etc/sysctl.conf:
net.inet.ip.forwarding=1
Make sure all inside machines use 192.168.1.254 as the default router, and
the NetBSD uses the Cisco as the default router.
If you want to implement a transparent proxy/cache on outbound web requests,
you can install 'squid' and add the following to /etc/ipnat.conf:
rdr ABC0 192.168.1.254/32 port 80 -> 192.168.1.254 port 80 tcp
rdr ABC0 0/0 port 80 -> 192.168.1.254 port 3128 tcp
You will need to configure squid correctly for transparent mode, and make
sure you start it automatically.
This should be enough to get you started. Let me know if it doesn't work
for you.
-Andrew